Obama's Cybercrime Crackdown Already Outdated, Experts Say

Below:

Next story in Security

In mid-May, the Obama administration called on Congress to expand
the definition of computer crime and to stiffen federal penalties
for hacking into computer systems, doubling the maximum prison
sentences for first-time offenses.

But security and legal experts say the White House suggestions, which would
in part update the Computer Fraud and Abuse Act, are both too
broad and fundamentally ineffective.

They argue that it's time for a wholesale overhaul of federal law
pertaining to computer crime, which has changed radically since
the Computer Fraud and Abuse Act was first drafted in 1986.

Tougher penalties

Right now, the act states that unauthorized intrusion into a
government computer system, however trivial, merits a maximum
sentence of one year; theft of more than $5,000 using a computer,
five years; a first-time offense of jeopardizing national
security via hacking, 10 years; multiple offenses, 20 years.

The White House would raise the maximum sentence for each
first-time offense. Breaking into a government computer would go
from one to three years, theft of more than $5,000 could get you
10 years and the maximum for a first-time jeopardizing of
national security would be 20 years.

The Obama proposals also would add a stand-alone sentence of
three years for anyone caught damaging a " critical
infrastructure " computer, such as one involved in the
electrical, water, financial or transport systems.

They would expand the RICO statutes, originally used against the
Mafia, to cover online criminal activity and extend drug-money
forfeiture laws to enable property seizure from those convicted
of cybercrimes.

Congress has yet to incorporate the recommended measures into any
cybersecurity-related bill.

Amateurs vs. professionals

John W. Dozier Jr. of Dozier Internet Law, a Virginia-based firm,
notes that the existing act doesn't account for different kinds
of hacking.

"It fails to adequately distinguish between relatively minimal
intrusions and intrusions that can affect the economy," Dozier
said.

On one hand, there are pranksters, protesters and vandals such as
LulzSec or Anonymous, who garner lots of publicity but cause
little damage.

On the other, there are professional cybercriminals, who traffic
in passwords and credit-card information for profit, and online
spies, who quietly steal secrets from American corporations and
government agencies. Neither of the latter groups is likely to be
swayed by tougher measures.

Many of the serious offenders are outside the U.S., Dozier notes,
in countries with weak or nonexistent extradition treaties.

Blunt instrument or bargaining tool?

Marcia Hofmann, an attorney at the Electronic Frontier Foundation
in San Francisco, agreed that the Computer Fraud and Abuse Act as
written is a bit of a blunt instrument.

Hofmann said the MySpace suicide case of 2008 was said to
fall under the act, though a federal judge rejected that
interpretation. (The case involved a Missouri 13-year-old girl
who hanged herself after being rejected by a boy she met
online — a fictitious boy created by the mother
of a neighboring teenager.)

But the case did show how the act could be interpreted as overly
broad, in addition to the debate over whether stiffer penalties
will make any difference.

One issue for the law and its enforcement is how likely it is
that anyone will be caught.

Alex Muentz, a lecturer at Temple University on computer crime,
says the odds of catching criminals are often low.

Many online gangs, Muentz points out, use botnets, in which
thousands of personal and workplace computers are hijacked to
silently send out spam, host bogus ads or take part in
cyberattacks.

The owners of the computers will have no idea they are
facilitating cybercrime — and the real culprits,
hiding behind proxy servers and encrypted connections, will be
difficult or impossible to track.

For prosecutors, the real leverage comes from getting defendants
to name other people involved.

"Longer sentences do give more power to prosecutors to coerce
apprehended defendants into both assisting law enforcement in
locating other defendants and favorable testimony at trial,"
Muentz said.

Different approaches

Muentz suggested encouraging the companies that get attacked to
pay more attention to security, perhaps using the laws covering
negligence.

In Sony's case, for example, the company was found to have
outmoded systems and weak firewalls, with sensitive customer data
posted on open websites, all of which could be seen as a breach
of responsibility on Sony's part.

But the idea of holding a breached company accountable for the
loss of customer data, Muentz said, doesn't seem to have much
traction in the U.S.

Both Hofmann and Dozier agree that what is necessary is a better
set of definitions. Violating an end-user license agreement
probably should not fall under the statute, nor should any sort
of unauthorized access to a system.

Dozier says that industrial espionage —
stealing a competitor's information from a server, for
example – would fall under the law as a criminal act. But civil
courts have traditionally dealt with that kind of
activity.

Meanwhile, the federal government does have other competing
priorities, so it isn't clear how far the White House suggested
proposals will go.

"The government is busy, so they'll make more threatening noises
once they catch a defendant — it's 'doing something,'" Dozier
said.